Kedro before version 1.3.0 improperly limits pathname traversal in the _get_versioned_path() method by directly interpolating user-supplied version strings without sanitization. This allows path traversal sequences such as '../' to escape the intended versioned dataset directory. The vulnerability is exploitable via multiple interfaces including catalog.load(..., version=...), DataCatalog.from_config(..., load_versions=...), and the CLI command kedro run --load-versions=dataset:../../../secrets. An attacker with the ability to influence the version string can cause Kedro to load files outside the intended directory, potentially leading to unauthorized file reads, data poisoning, or cross-tenant data exposure in multi-tenant environments. The vulnerability is tracked as CVE-2026-35167 and is classified under CWE-22. It has a CVSS 3.1 base score of 7.1 (high severity).

Successful exploitation allows an attacker with limited privileges (PR:L) to read sensitive files outside the intended dataset directory, potentially exposing confidential data or enabling data poisoning attacks. The vulnerability does not allow privilege escalation or denial of service but can compromise confidentiality and integrity of data processed by Kedro. This is particularly impactful in shared or multi-tenant environments where cross-tenant data access is possible.

This vulnerability is fixed in Kedro version 1.3.0. Users should upgrade to version 1.3.0 or later to remediate this issue. No official patch or temporary workaround is provided in the advisory data. Until upgrading, avoid using untrusted input for version strings in the affected methods and CLI commands to reduce risk. Patch status is not explicitly confirmed beyond the fix in version 1.3.0; users should verify with the vendor advisory for the latest remediation guidance.